From 502a909f7214ff10623b2b92272fc1cfa5f3a576 Mon Sep 17 00:00:00 2001
From: averevki <sandyverevkin@gmail.com>
Date: Tue, 14 May 2024 14:05:01 +0200
Subject: [PATCH] Change rhsso from script to kubernetes job

---
 base/rhsso/deploy-rhsso-job.yaml              | 51 +++++++++++++++++++
 base/rhsso/deploy-rhsso.sh                    | 45 ++++++++++------
 base/rhsso/kustomization.yaml                 | 20 ++++++++
 base/rhsso/rbac.yaml                          | 17 +++++++
 .../credential-sso-secret.yaml.tpl            |  0
 .../keycloak-subscription.yaml                |  0
 .../{ => resources}/no-ssl-sso-route.yaml     |  0
 .../{ => resources}/no-ssl-sso-service.yaml   |  0
 .../{ => resources}/operator-group.yaml.tpl   |  0
 base/rhsso/{ => resources}/sso-keycloak.yaml  |  2 +
 10 files changed, 119 insertions(+), 16 deletions(-)
 create mode 100644 base/rhsso/deploy-rhsso-job.yaml
 create mode 100644 base/rhsso/kustomization.yaml
 create mode 100644 base/rhsso/rbac.yaml
 rename base/rhsso/{ => resources}/credential-sso-secret.yaml.tpl (100%)
 rename base/rhsso/{ => resources}/keycloak-subscription.yaml (100%)
 rename base/rhsso/{ => resources}/no-ssl-sso-route.yaml (100%)
 rename base/rhsso/{ => resources}/no-ssl-sso-service.yaml (100%)
 rename base/rhsso/{ => resources}/operator-group.yaml.tpl (100%)
 rename base/rhsso/{ => resources}/sso-keycloak.yaml (80%)

diff --git a/base/rhsso/deploy-rhsso-job.yaml b/base/rhsso/deploy-rhsso-job.yaml
new file mode 100644
index 0000000..9be412a
--- /dev/null
+++ b/base/rhsso/deploy-rhsso-job.yaml
@@ -0,0 +1,51 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: deploy-rhsso-operator
+spec:
+  template:
+    spec:
+      serviceAccountName: deploy-rhsso-operator
+      containers:
+        - name: deploy-rhsso-operator
+          image: docker.io/bitnami/kubectl:latest
+          command: ["/bin/bash", "-cx"]
+          args: ["./deploy-rhsso.sh"]
+          volumeMounts:
+            - name: rhsso-operator-resources
+              mountPath: deploy-rhsso.sh
+              subPath: deploy-rhsso.sh
+            - name: rhsso-operator-resources
+              mountPath: resources/sso-keycloak.yaml
+              subPath: sso-keycloak.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/keycloak-subscription.yaml
+              subPath: keycloak-subscription.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/no-ssl-sso-service.yaml
+              subPath: no-ssl-sso-service.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/no-ssl-sso-route.yaml
+              subPath: no-ssl-sso-route.yaml
+            - name: rhsso-operator-resources
+              mountPath: resources/operator-group.yaml.tpl
+              subPath: operator-group.yaml.tpl
+      volumes:
+        - name: rhsso-operator-resources
+          configMap:
+            name: rhsso-operator-resources
+            items:
+              - key: deploy-rhsso.sh
+                mode: 0750
+                path: deploy-rhsso.sh
+              - key: sso-keycloak.yaml
+                path: sso-keycloak.yaml
+              - key: keycloak-subscription.yaml
+                path: keycloak-subscription.yaml
+              - key: no-ssl-sso-service.yaml
+                path: no-ssl-sso-service.yaml
+              - key: no-ssl-sso-route.yaml
+                path: no-ssl-sso-route.yaml
+              - key: operator-group.yaml.tpl
+                path: operator-group.yaml.tpl
+      restartPolicy: Never
\ No newline at end of file
diff --git a/base/rhsso/deploy-rhsso.sh b/base/rhsso/deploy-rhsso.sh
index d2e7f99..a5ce53f 100755
--- a/base/rhsso/deploy-rhsso.sh
+++ b/base/rhsso/deploy-rhsso.sh
@@ -4,29 +4,42 @@ set -exuo pipefail
 command -v envsubst
 
 TIMEOUT_TIME="${TIMEOUT_TIME:=125}"
-FILE_ROOT="${BASH_SOURCE%/*}"
+CTL="${CTL:=kubectl}"
+RESOURCES="${BASH_SOURCE%/*}"/resources
 
 NAMESPACE="${NAMESPACE:=tools}"
 ADMIN_USERNAME="${ADMIN_USERNAME:="admin"}"
-ADMIN_PASSWORD="${ADMIN_PASSWORD:="admin"}"
 
-export NAMESPACE ADMIN_PASSWORD ADMIN_USERNAME
+export NAMESPACE ADMIN_USERNAME
 
-function deployRHSSO {
-  <"${FILE_ROOT}"/operator-group.yaml.tpl envsubst | oc apply -n "${NAMESPACE}" -f -
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/keycloak-subscription.yaml
-  oc wait -n "${NAMESPACE}" --for=jsonpath=status.installPlanRef.name subscription rhsso-operator --timeout="$TIMEOUT_TIME"s
-  oc wait -n "${NAMESPACE}" --for=condition=Installed installplan --all --timeout="$TIMEOUT_TIME"s
+function set_kubectl_context {
+  $CTL config set-cluster ctx --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+  $CTL config set-credentials user --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+  $CTL config set-context ctx --user=user --cluster=ctx
+  $CTL config use-context ctx
+}
+
+function deploy_rhsso {
+  <"${RESOURCES}"/operator-group.yaml.tpl envsubst | $CTL apply -n "${NAMESPACE}" -f -
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/keycloak-subscription.yaml
+  $CTL wait -n "${NAMESPACE}" --for=jsonpath=status.installPlanRef.name subscription rhsso-operator --timeout="$TIMEOUT_TIME"s
+  $CTL wait -n "${NAMESPACE}" installplan "$($CTL get -n "${NAMESPACE}" subscription rhsso-operator -o=jsonpath='{.status.installPlanRef.name}')" --for=condition=Installed --timeout="$TIMEOUT_TIME"s
 
-  <"${FILE_ROOT}"/credential-sso-secret.yaml.tpl envsubst | oc apply -n "${NAMESPACE}" -f -
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/sso-keycloak.yaml
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/no-ssl-sso-service.yaml
-  oc apply -n "${NAMESPACE}" -f "${FILE_ROOT}"/no-ssl-sso-route.yaml
+#   <"${RESOURCES}"/credential-sso-secret.yaml.tpl envsubst | $CTL apply -n "${NAMESPACE}" -f -
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/sso-keycloak.yaml
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/no-ssl-sso-service.yaml
+  $CTL apply -n "${NAMESPACE}" -f "${RESOURCES}"/no-ssl-sso-route.yaml
 
-  timeout "$TIMEOUT_TIME" bash -c "oc get statefulset -w -n ${NAMESPACE} -o name | grep -qm1 '^statefulset.apps/keycloak$'"
-  oc rollout -n "${NAMESPACE}" status statefulset/keycloak --timeout="$TIMEOUT_TIME"s
+  timeout "$TIMEOUT_TIME" grep -qm1 '^statefulset.apps/keycloak$' <($CTL get statefulset -w -n "${NAMESPACE}" -o name)
+  $CTL rollout -n "${NAMESPACE}" status statefulset/keycloak --timeout="$TIMEOUT_TIME"s
 
-  oc rsh -n "${NAMESPACE}" statefulset/keycloak bash -c "/opt/eap/bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user ${ADMIN_USERNAME} --password ${ADMIN_PASSWORD} --no-config"
+  ADMIN_PASSWORD="$($CTL get secret credential-sso -o jsonpath='{.data.ADMIN_PASSWORD}' | base64 -d)"
+  $CTL exec --stdin --tty statefulset/keycloak -n "${NAMESPACE}" -- /bin/bash -c "/opt/eap/bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user ${ADMIN_USERNAME} --password ${ADMIN_PASSWORD} --no-config"
 }
 
-deployRHSSO
+if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+    NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
+    set_kubectl_context  # if running inside kubernetes pod
+fi
+
+deploy_rhsso
diff --git a/base/rhsso/kustomization.yaml b/base/rhsso/kustomization.yaml
new file mode 100644
index 0000000..2459c34
--- /dev/null
+++ b/base/rhsso/kustomization.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  app: rhsso-operator-deployment
+
+resources:
+  - rbac.yaml
+  - deploy-rhsso-job.yaml
+
+configMapGenerator:
+  - name: keycloak-operator-resources
+    files:
+      - deploy-rhsso.sh
+      - resources/sso-keycloak.yaml
+      - resources/keycloak-subscription.yaml
+      - resources/no-ssl-sso-route.yaml
+      - resources/no-ssl-sso-service.yaml
+      - resources/operator-group.yaml.tpl
diff --git a/base/rhsso/rbac.yaml b/base/rhsso/rbac.yaml
new file mode 100644
index 0000000..044e916
--- /dev/null
+++ b/base/rhsso/rbac.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: deploy-rhsso-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: deploy-rhsso-operator-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: deploy-rhsso-operator
diff --git a/base/rhsso/credential-sso-secret.yaml.tpl b/base/rhsso/resources/credential-sso-secret.yaml.tpl
similarity index 100%
rename from base/rhsso/credential-sso-secret.yaml.tpl
rename to base/rhsso/resources/credential-sso-secret.yaml.tpl
diff --git a/base/rhsso/keycloak-subscription.yaml b/base/rhsso/resources/keycloak-subscription.yaml
similarity index 100%
rename from base/rhsso/keycloak-subscription.yaml
rename to base/rhsso/resources/keycloak-subscription.yaml
diff --git a/base/rhsso/no-ssl-sso-route.yaml b/base/rhsso/resources/no-ssl-sso-route.yaml
similarity index 100%
rename from base/rhsso/no-ssl-sso-route.yaml
rename to base/rhsso/resources/no-ssl-sso-route.yaml
diff --git a/base/rhsso/no-ssl-sso-service.yaml b/base/rhsso/resources/no-ssl-sso-service.yaml
similarity index 100%
rename from base/rhsso/no-ssl-sso-service.yaml
rename to base/rhsso/resources/no-ssl-sso-service.yaml
diff --git a/base/rhsso/operator-group.yaml.tpl b/base/rhsso/resources/operator-group.yaml.tpl
similarity index 100%
rename from base/rhsso/operator-group.yaml.tpl
rename to base/rhsso/resources/operator-group.yaml.tpl
diff --git a/base/rhsso/sso-keycloak.yaml b/base/rhsso/resources/sso-keycloak.yaml
similarity index 80%
rename from base/rhsso/sso-keycloak.yaml
rename to base/rhsso/resources/sso-keycloak.yaml
index 67598b8..1142240 100644
--- a/base/rhsso/sso-keycloak.yaml
+++ b/base/rhsso/resources/sso-keycloak.yaml
@@ -6,6 +6,8 @@ metadata:
   labels:
     app: sso
 spec:
+  DisableDefaultServiceMonitor: true
   externalAccess:
     enabled: true
   instances: 1
+